Sony Pictures Online Hacked Using “Primitive and Common” Vulnerability, Data Unencrypted [News]

Tim Brookes 03-06-2011

<firstimage=”//”>Sony Pictures Online Hacked Using "Primitive and Common" Vulnerability, Data Unencrypted [News] sonyhackOn Thursday evening, hacker group “LulzSec” announced via Twitter that they had gained access to and stolen over 1 million accounts, passwords and sensitive user information. Shortly after the news broke, copies of the compromised data were surfacing on filesharing websites (such as MediaFire, where it was removed) and BitTorrent trackers including The Pirate Bay.


The group left a message on PasteBin revealing the full extent of the intrusion, which includes thousands of email and password combinations, personal information (including names, addresses, dates of birth and phone numbers), nearly 3.5 million “music coupons” and over 60,000 “music codes”. The group also announced that Sony’s security was overcome by a simple SQL injection attack.

In a statement, the group said: “ was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?

Sony Pictures Online Hacked Using "Primitive and Common" Vulnerability, Data Unencrypted [News] tweet

The group also stated: “Every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”

The group has released much of the plundered data, though these only contain a small amount of the compromised data. Full databases have also been posted online, along with a database layout text document to aid the extraction of data. The database contains both military and government email and password combinations, and also admin accounts to Sony Pictures Online.


Sony Pictures Online Hacked Using "Primitive and Common" Vulnerability, Data Unencrypted [News] releases

The following excerpt was taken from the “FILE CONTENTS.txt” document that accompanies LulzSec’s limited release:

Contents of our plunder:
## Sony_Pictures_International_AUTOTRADER_USERS.txt ##– In this file you will find just under 12,500 customers of Sony;this includes dates of birth, addresses, emails, full names,passwords, user IDs, and personal phone numbers.
## Sony_Pictures_International_BEAUTY_USERS.txt ##– In this file you will find just under 21,000 customers of Sony;this is a simple email/password drop. Enjoy your account stealing.
## Sony_Pictures_International_COUPONS.txt ##– In this file you will find just under 20,000 Sony music coupons;please note that there are 3.5 million coupons to take – get ’em.
## Sony_Pictures_International_DELBOCA_USERS.txt ##– In this file you will find just under 18,000 customers of Sony;this is a simple email/password drop. Again, enjoy your stealing.
## Sony_Pictures_International_MUSIC_CODES.txt ##– In this file you will find just under 67,000 Sony music codes;they’re like magnets, we simply have no idea how they work.
## Sony_Pictures_International_TABLE_LAYOUT.txt ##– In this file you will find the layout of the database;that means you can easily see where to steal things from.
Note that the database contains far more user information/couponsthan we took. The point is that we had control of them; all of them.We leave the rest up to you – steal as much as you want, go forth!
## Sony_BMG_Music_Entertainment_NETHERLANDS ##– This file contains the user database of BMG Netherlands;it’s around 600 usernames, emails, and passwords. Enjoy.
## Sony_BMG_Music_Entertainment_BELGIUM ##– This file contains the Sony admin database of BMG Belgium;also lots of barcodes, release dates, and other juicy shit.

The group were also responsible for several other recent security breaches, including the defacement of the Public Broadcasting Service (PBS) website and Sony Music of Japan. Sony has acknowledged the claims and is said to be investigating.


Sony Pictures Online Hacked Using "Primitive and Common" Vulnerability, Data Unencrypted [News] torrent

Source: / @LulzSec
Think you could do a better job of security? Angry with Sony for not protecting your information? Angry with the hackers for stealing it in the first place? Vent some steam in the comments below!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    June 4, 2011 at 7:17 am

    all this news makes me nervous about hacking of Cloud Storage. :(

  2. Dave
    June 4, 2011 at 6:30 am

    Nathan - if you leave your wallet full of cash in your house, walk and dont lock the front door of your house, will you be deserved and is it your fault if I walk in and take your wallet? Of course not!!!!!! 

    This is exactly the same and btw lets not elude or be so naive here...lot and lots of companies have little to no security or encryption of information - it just happens Sony was caught again.

    And one more thing, I highly doubt Sony music/pictures is actually run by Sony. These are likely sourced to 3rd parties to implement and maintain. Granted Sony should check the security of their information and sites but its likely sourced to the lowest bidder.

  3. a concerned citazen
    June 3, 2011 at 10:32 pm

    if lulzsec didn't do it someone with really bad intent would.

  4. Nathan
    June 3, 2011 at 7:45 pm

    I'm actually glad that there are people out there like LulzSec that take the time and effort to do the work it takes to expose the shoddy techniques and vulnerabilities of companies on the web. The fact that LulzSec was willing to post this as conspicuously as possible shows that the main intent was to inflame the people whose information was exposed, as well as shame Sony Pictures Online into actually doing something to change their site's security.

    Is what LulzSec did illegal? Sure. Is it unethical? That depends on your viewpoint. I personally believe that it's Sony Pictures who are the unethical ones, collecting millions of users' personal information and letting it sit there where it can be exploited by whomever puts the slightest bit of effort into obtaining it. People deserve a right to privacy online. It's large companies that couldn't give a crap about securing the personal data that has been entrusted to them by their own customers that leads to an overall distrust of Internet information policies. This makes even companies with flawless Internet security records look bad. If anything, Sony should be grateful for the fact that the hackers let them in on the whole thing because, had they not, this security hole would be left to people with much more malicious intent.

    • Scutterman
      June 4, 2011 at 7:25 am

      Your view makes sense in theory, but in reality zero day exploits do no-one any good. By releasing details of the exploit before notifying Sony they left the door open to those people with "more malicious intent" and by releasing the data to the internet at large, available to anyone for any purpose, they have proven that they themselves have malicious intent.

  5. Maggie
    June 3, 2011 at 4:57 pm

    To the people who think that attacks this will make the government run the Internet: Like they aren't trying to do that already? What should worry you is that the state is more concerned with protecting companies like Sony from any liability or responsibility for their poor security. 

  6. Devil Dog
    June 3, 2011 at 4:55 pm

    These idiots don't realize that it will come to the U.S.A. having government ran internet, cans and cannot s. They ought to be shot in front of a firing squad. Period

    • pceasies
      June 3, 2011 at 7:05 pm

      The government should be worrying about controlling companies leaving peoples' personal information laying around instead of trying to control the technology that connects everything together.

  7. Dave
    June 3, 2011 at 4:41 pm

     James, Lolsec have broken the law by posting the data online ( here in the UK at least). If this was your data (name, address, password ) would you be so smug?
    These guys are criminals nothing more nothing less and all they are doing is creating an environment where the internet will be heavily monitored by Governments (eventually) adding laws on what we can do or cant do. These exploits will only go on for so long before some kind of draconian law is passed which will affect us all including you! Think about that before giving support to a bunch of low lifes who get kicks passing about innocents peoples information.

    • Anonymous
      June 8, 2011 at 8:23 pm

      lolsec? HAHAHA

  8. Richard Servello
    June 3, 2011 at 4:03 pm

    Maybe Sony should offer these guys a job fixing the holes?

  9. James Bruce
    June 3, 2011 at 4:02 pm

    Hilarious stuff, and damn Sony they deserve it all. Picking on a lil hacker for cracking the ps3 - I guess they learnt their lesson though. 

  10. Scutterman
    June 3, 2011 at 3:56 pm

    I knew they'd get hacked again after the PSN incident, and it doesn't show any faith that such a simple vulnerability was found after they were supposed to be implementing such tight security over *all* of their systems.

    It makes me wonder how hard the original hackers actually had to try..?

  11. pceasies
    June 3, 2011 at 3:39 pm

    Right after the PSN incident too, heh

  12. Ankur
    June 3, 2011 at 3:19 pm

    Cant believe that such a huge company was not using encryption . shame